Use a placeholder like ?, :name or @name and provide the actual values using a separate API call.
There are, two good reasons to use bind parameters in programs:
* Security
Bind variables are the best way to prevent SQL injection.
* Performance
Not using bind parameters is like recompiling a program every time.

* MySQLi
The mysqli_stmt class in PHP 5 are used for prepared statements.

The MySQLi extension provides various benefits with respect to its predecessor:
* An object-oriented interface
* Support for prepared statements
* Support for multiple statements
* Support for transactions
* Enhanced debugging support
* Embedded server support
use-the-index-luke.comphp.net

Related Pages

1) What will be the username if you want to make an SQL injection on the following code?
<?php
$username = $_POST['username'];
$sql = "SELECT * FROM users
WHERE username='{$username}' AND password='{$password}'";

Use a placeholder like ?, :name or @name and provide the actual values using a separate API call.
There are, two good reasons to use bind parameters in programs:
* Security
Bind variables are the best way to prevent SQL injection.
* Performance
Not using bind parameters is like recompiling a program every time.

* MySQLi
The mysqli_stmt class in PHP 5 are used for prepared statements.

The MySQLi extension provides various benefits with respect to its predecessor:
* An object-oriented interface
* Support for prepared statements
* Support for multiple statements
* Support for transactions
* Enhanced debugging support
* Embedded server support
use-the-index-luke.comphp.net